Endesa Data Breach and Cyberattack: What Happened and What Customers Should Know

Spain’s largest electricity supplier, Endesa, has faced serious scrutiny over customer data security after a major regulatory fine and a more recent cyberattack affecting its commercial systems.

Together, these incidents have raised questions about how securely large energy companies protect the personal and financial data of millions of customers.

While Endesa remains one of Spain’s dominant electricity providers, the events highlight an increasingly important issue in the modern energy market: data security within utility companies.

The €6.1 Million GDPR Fine

In late 2023 the Spanish Data Protection Agency (AEPD) issued a major sanction against Endesa after identifying serious shortcomings in its data protection systems.

The investigation found that personal data belonging to approximately 6 million customers had been exposed due to inadequate security measures.

According to the regulator, the failures included:

•insufficient technical safeguards protecting customer databases
•weaknesses in internal systems handling contract data
•failures to adequately guarantee confidentiality of personal information

The AEPD determined that Endesa had not implemented appropriate security controls required under the EU’s General Data Protection Regulation (GDPR).

As a result, the company received a €6.1 million fine, one of the largest data protection penalties imposed in Spain’s energy sector.

The exposed information reportedly included personal identification details and data linked to electricity and gas contracts.

2026 Cyberattack on Customer Systems

More recently, in January 2026, Endesa confirmed it had suffered a cyberattack affecting systems used to manage customer contracts.

The breach reportedly allowed unauthorised access to a commercial platform connected to customer account data.

Potential Data Exposure:

•customer names and contact details
•DNI or identification numbers
•contract information
•bank account data including IBAN numbers

Security researchers later reported that millions of records were allegedly offered for sale on dark-web forums, although the exact number of affected customers has not been officially confirmed.

Endesa currently serves around 10 million electricity customers in Spain, meaning the incident could potentially affect a significant portion of its user base.

What Endesa Has Done

Following the cyberattack, the company stated it had taken immediate action to secure its systems.

blocking the compromised access points
launching an internal cybersecurity investigation
notifying Spain’s data protection authorities
informing customers potentially affected by the breach

Customers were also warned to remain cautious about phishing emails or suspicious phone calls pretending to come from Endesa.

Could Further Penalties Follow?

At the time of writing, no regulatory fine has yet been announced for the 2026 cyberattack.

However, the incident is likely to be reviewed by the AEPD under GDPR rules. If regulators determine that security measures were insufficient, additional sanctions could follow.

Under EU data protection law, penalties can reach up to €20 million or 4% of a company’s global annual turnover, whichever is higher.

Why This Matters for Energy Customers

Energy suppliers hold significant amounts of sensitive customer data, including identification details, addresses, billing history and banking information.

As the industry becomes increasingly digital, cybersecurity has become just as important as pricing and service reliability.

Incidents like this highlight why customers should always remain cautious when receiving unexpected emails or calls related to their energy account.

Advice for Customers

If you are an Endesa customer, experts recommend:

For more information on how to protect your energy account and understand how unauthorized switches happen, read our comprehensive guide on Energy Account Security in Spain.

monitoring your bank account for unusual transactions
ignoring unexpected emails requesting personal details
verifying communications directly through official Endesa channels
changing passwords associated with your energy account

Industry Perspective

While Endesa is not the only utility to face cybersecurity challenges, the case demonstrates the scale of risk involved when companies manage millions of customer records.

For consumers, transparency and strong data protection practices are becoming an increasingly important factor when choosing an energy supplier.

About Uswitch Energy

Uswitch Energy provides independent analysis of electricity tariffs in Spain and helps households and businesses understand their energy costs.

Free Electricity Bill Analysis

Frequently Asked Questions

What data was exposed in the Endesa breach?

Exposed information reportedly included names, DNI numbers, contact details, contract information, and in some cases, bank account data including IBAN numbers.

How many Endesa customers were affected?

A previous GDPR fine affected approximately 6 million customers. For the 2026 cyberattack, while millions of records were reportedly involved, the exact number of affected individuals hasn't been officially confirmed.

Was Endesa fined for the breach?

Yes, Endesa received a €6.1 million fine from the AEPD for security failures affecting 6 million customers. Regulators are also expected to review the more recent 2026 cyberattack.

What should Endesa customers do now?

Customers should monitor bank accounts for suspicious activity, ignore unexpected requests for personal data, and update their energy account passwords immediately.

Related Guides

See all guides